When the news media reports on data breaches and other forms of cybercrime, the center of the story is usually a major software company, financial institution, or retailer. But in reality, these types of attacks are merely part of the damage that global hackers cause on a daily basis.

Town and city governments are becoming a more common target for online criminals. For example, a small city in Florida, Riviera Beach, had their office computers hacked and ended up paying $600,000 to try to reverse the damage. Hackers saw this as a successful breach and are now inspired to look at more public institutions that could be vulnerable.

Why are cities and towns so susceptible to hacking, how are these attacks carried out, and what steps should administrators take to protect citizen data?

How Hackers Choose Targets

While some cybercriminals seek out exploits for the sole purpose of causing destruction or frustration, the majority of hackers are looking to make money. Their aim is to locate organizations with poor security practices so that they can infiltrate their networks and online systems. Sometimes hackers will actually hide inside of a local network or database for an extended period of time without the organization realizing it.

Hackers usually cash in through one of two ways. The first way is to try to steal data, like email addresses, passwords, and credit card numbers, from an internal system and then sell that information on the dark web. The alternative is a ransomware attack, in which the hacker holds computer systems hostage and unusable until the organization pays for them to be released.

City and town governments are becoming a common target for hackers because they often rely on outdated legacy software or else have built tools internally that may not be fully secure. These organizations rarely have a dedicated cybersecurity team or extensive testing procedures.

The Basics of Ransomware

Ransomware attacks, like the one which struck the city government of Riviera Beach, can begin with one simple click of a dangerous link. Hackers will often launch targeted phishing scams at an organization’s members via emails that are designed to look legitimate.

When a link within one of these emails is clicked, the hacker will attempt to hijack the user’s local system. If successful, their next move will be to seek out other nodes on the network. Then they will deploy a piece of malware that will lock all internal users from accessing the systems.

At this point, the town or city employees will usually see a message posted on their screen demanding a ransom payment. Some forms of ransomware will actually encrypt all individual files on an operating system so that the users have no way of opening or copying them.

Ways to Defend Yourself

Cybersecurity threats should be taken seriously by all members of an organization. The first step to stopping hackers is promoting awareness of potential attacks. This can be done through regular training sessions. Additionally, an organization’s IT department should evaluate the following areas immediately.

• Security Tools: City governments should have a well-reviewed, full-featured, and updated virus scanning tool installed on the network to flag potential threats. At an organization level, firewall policies should be put in place to filter incoming traffic and only allow connections from reputable sources.
• Web Hosting: With the eternal pressure to stick to a budget, cities often choose a web host based on the lowest price, which can lead to a disaster that far exceeds any cost savings. In a recent comparison of low cost web hosts, community-supported research group Hosting Canada tracked providers using Pingdom and found that the ostensibly “free” and discount hosts had an average uptime of only 96.54%.For reference, 99.9% is considered by the industry to be the bare minimum. Excessive downtime often correlates to older hardware and outdated software that is more easily compromised.   
• Virtual Private Network (VPN): This one should be mandatory for any employee who works remotely or needs to connect to public wi-fi networks. A VPN encodes all data in a secure tunnel as it leaves your device and heads to the open internet. This means that if a hacker tries to intercept your web traffic, they will be unable to view the raw content. However, a VPN is not enough to stop ransomware attacks or other forms of malware. It simply provides you with an anonymous IP address to use for exchanging data.

Looking Ahead

Local governments need to maintain a robust risk management approach while preparing for potential attacks from hackers. Most security experts agree that the Riviera Beach group actually did the wrong thing by paying out the hacker ransomware. This is because there’s no guarantee that the payment will result in the unlocking of all systems and data.

During a ransomware attack, an organization needs to act swiftly. When the first piece of malware is detected, the infected hardware should be immediately shut down and disconnected from the local network to limit the spread of the virus. Any affected machine should then have its hard drive wiped and restored to a previous backup from before the attack began.

Preparing for different forms of cyberattack is a critical activity within a disaster recovery plan. Every organization should have their plan defined with various team members assigned to roles and responsibilities. Cities and towns should also consider investing in penetration testing from outside groups and also explore the increasingly popular zero-trust security strategy as a way to harden the network. During a penetration test, experts explore potential gaps in your security approach and report the issues to you directly, allowing you to fix problems before hackers exploit them.

Final Thoughts

With ransomware attacks, a hacker looks to infiltrate an organization’s network and hold their hardware and data files hostage until they receive a large payment. City and town government offices are becoming a common target for these instances of cybercrime due to their immature security systems and reliance on legacy software.

The only way to stop the trend of ransomware is for municipal organizations to build a reputation of having strong security defenses. This starts at the employee level, with people being trained to look for danger online and learning how to keep their own hardware and software safe.

About the author: A former defense contractor for the US Navy, Sam Bocetta turned to freelance journalism in retirement, focusing his writing on US diplomacy and national security, as well as technology trends in cyberwarfare, cyberdefense, and cryptography.

Copyright 2010 Respective Author at Infosec Island

Greetings from Portsmouth, New Hampshire!

Hard to believe we’re in mid-August already, but here we are — dare I say it? — nearing the end of summer. There’s nothing quite like August in the Seacoast. There’s a sort of bittersweet beauty to it: As the daylight wanes, temperatures cool down, harvested fruits and vegetables taste delicious, while the crickets lend a soothing symphony of sound at night. But I sense this is just the calm before what will likely be a stormy fall in the privacy world, particularly here in the U.S.

To wit: The California Legislature reconvened Monday ahead of what will surely be a busy month debating the merits of several amendments to the California Consumer Privacy Act. Of course, time is of the essence as the legislative body has one month to finalize and pass any changes. And there’s quite a bit up in the air right now. 

Fortunately, CCPA co-architect Mary Stone Ross shared her thoughts with us on the top issues she’ll be watching in the coming weeks. How will “personal information” and “deidentified” be defined? Will the powerful chairwoman of the Judiciary Committee, Hannah-Beth Jackson, pull back any bills if industry successfully pushes for changes to them? Will retailers be barred from selling personal information collected via loyalty card programs? What about the attorney general’s preliminary rules? Will the governor sign any amendments that come out of this session prior to the Oct. 13 deadline? And will there be other “Sacramento shenanigans”?

The legislative timeline is tight. Aug. 30 will be the last day for fiscal committees to meet and report bills, and, according to Ross, all committees must meet prior to Sept. 3, and any amendments on the floor must come before Sept. 6. The last day of the session is Sept. 13, so it will be a notable day for those tracking the CCPA. Gov. Gavin Newsom then has one month to sign any amendments into law. 

Also CCPA-related, we featured an interesting angle this week from Annie Bai and Peter McLaughlin. “There is a simple and innocuous-sounding CCPA requirement stating that requests for access and deletion must be ‘verified,'” they write. “However, the law does not clarify what qualifies as verified.” 

Bai and McLaughlin argue that this provision will create significant business risk, citing a recent study on using data subject access requests under the EU General Data Protection Regulation to fraudulently access to other users’ personal information. Surely, many companies have not yet implemented robust DSAR-verification programs, opening them and their customers up to identity theft and unauthorized access. “In the name of empowering consumers,” Bai and McLaughlin point out, “the [CCPA] is actually introducing threat vectors that can be manipulated by fraudsters. This presents a considerable risk to organizations by enabling a data breach while ostensibly trying to comply with the law and support a customer’s data access request.” This means businesses “need to be vigilant as they set up their consumer-response processes,” Bai and McLaughlin suggest.

The IAPP-EY Annual Privacy Governance Report 2017 found that DSARs were among the top-three most difficult GDPR obligations for those surveyed. Verification adds one more layer of complexity. The IAPP has published several articles on operationalizing DSAR responses, like this one for the GDPR and this one from the IAPP’s Rita Heimes. Privacy tech vendors are also developing various DSAR response technology, some of which can be found in the new Privacy Tech Vendor Report 2019. All in all, there’s lots to consider. 

As we near the unofficial end to summer, hopefully you can enjoy some downtime — maybe even head to the lake or the beach — because we’re in for a busy fall! 

Reuters reports the Irish Data Protection Commission has almost concluded its first investigation into a multinational organization under the EU General Data Protection Regulation. Irish Data Protection Commissioner Helen Dixon said in an interview with The Irish Independent the office’s first major GDPR ruling will likely involve its probe into WhatsApp; however, a formal decision is still a ways off. “I’d like to say that we could do it in 48 hours, but it has to be in the order of months, to be done in the way that it has to be done,� Dixon said. “I will have to allow them a period of time to respond. I would have to consider their responses.�
Full Story

We know, there’s lots of privacy news, guidance and documentation to keep up with every day. And we also know, you’re busy doing all the things required of the modern privacy professional. Sure, we distill the latest news and relevant content down in the Daily Dashboard and our weekly regional digests, but sometimes that’s even too much. To help, we offer our top-five, most-read stories of the week. 

1. Privacy Perspectives: “What one CCPA co-architect will watch closely with Sacramento back in session,” by former Californians for Consumer Privacy President Mary Stone Ross
2. Privacy Perspectives: “Why the CCPA’s ‘verified consumer request’ is a business risk,” by Annie Bai, CIMP, CIPP/US, and Peter McLaughlin, CIPP/US
3. Daily Dashboard: “Study: Majority of cookie notices are not GDPR compliant“
4. Daily Dashboard: “Human transcription of audio chats draws scrutiny from regulators, lawmakers“
5. Daily Dashboard: “Organization’s interference with DPO could lead to GDPR fine“

Greetings from Brussels!

There have been multiple examples of “credential stuffing” referenced in the media lately. For those unfamiliar with the term, credential stuffing is the automated injection of breached or dumped username/password pairings in order to fraudulently gain access to user accounts across different web services.

Transport for London recently experienced such an attack that resulted in its online Oyster smartcard system being pulled offline for two days; this meant that customers were unable to access their accounts either to check their balance or credit their travel cards. TfL initially cited “performance-based issues” before clarifying that their system has been compromised.

According to TfL, a small number of accounts were accessed “after their login credentials were compromised when using non-TfL websites.� In other words, the customer intrusions were the result of those individuals who used email address and password combinations for their Oyster accounts that were used for one or more hacked websites. It emerged later that only 1,200 customers were affected by the breach. TfL has stated that no customer payment details were accessed and that ultimately their network was not compromised. However, 6 million online users were also affected by the disruption to the online service. Not a small issue — customer care must have been inundated with commuter complaints. TfL said they were in touch with the National Cyber Security Centre, as well as the ICO.

The Daily Dashboard recently reported on a separate credential stuffing incident at U.S.-based State Farm Insurance. This is perhaps more alarming as it involves an insurance company. Here, too, no actual fraudulent activity was detected in those accounts that were affected.

This hacking technique is on the rise, and the extent of “credential extraction” that has happened over recent years through any number of breaches means that digital services are increasingly at risk from the credential stuffing phenomenon: arguably a relatively simplistic way to compromise websites and user accounts. For such a simple technique, credential stuffing is frustratingly difficult to combat. Moreover, the key culprit or willing accessory — if you like — in this stuffing debacle is really “ourselves”; it is simply human weakness to use repeat logins and passwords for multiple accounts. The best way to protect against credential stuffing attacks is to use unique passwords for each of your digital accounts. Often, this is more efficient with a password manager system and two-factor authentication when available. I also refer to my notes back in June when I discussed the newly expected privacy features of “Sign in with Appleâ€� under iOS13, which will include randomly generated email address IDs for the purpose of logins.

The dangers of credential dumping are not only restricted to obtaining access to your online accounts along with personal and or confidential financial data. The end result can also potentially lead to unbridled access to your devices and possibly shared networks for other nefarious purposes and transactions with far-reaching consequences. And while companies are constantly improving their detection and blocking of credential stuffing attempts, there is no foolproof way of defending against such attacks. The onus is largely on the user, to think smart and own their privacy controls.

The U.K. Information Commissioner’s Office released resources to help town and parish councils comply with the EU General Data Protection Regulation. ICO Senior Policy Officer Stacey Egerton wrote in a blog post the agency has worked with 50 local councils to help better understand the challenges they face as they work to ensure GDPR compliance. In response to their collaborations, the ICO released a fact sheet for local councils on the use of personal devices, a resource pack on data audits and six steps for local councils to shore up their data-sharing practices.
Full Story

The Irish Data Protection Commission has asked Facebook about how it had paid contractors to transcribe users’ audio, Politico reports. The tech company said it was allowed to perform the activity after consumers opted in to the practice. “We are now seeking detailed information from Facebook on the processing in question and how Facebook believes that such processing of data is compliant with their GDPR obligations,” the agency said in a statement. In response to the Facebook report, U.S. lawmakers have renewed their calls for new privacy legislation. Meanwhile, Microsoft updated its privacy notice to state that staff members and contractors may listen to recordings gathered by Cortana devices and Skype Translator products. A spokesperson said, “We realized, based on questions raised recently, that we could do a better job specifying that humans sometimes review this content.”
Full Story

The Irish Data Protection Commission released guidance to help data controllers better understand the data breach notification requirements found within the EU General Data Protection Regulation. The guide covers notifications controllers need to send to both the data subjects affected by a breach and to the agency itself. The agency offers a definition of what constitutes a breach and when a controller has to notify the agency. The document also contains a link to the DPC’s breach notification page.
Full Story

The Berlin Commissioner for Data Protection and Freedom of Information plans to issue a large fine to a company for violations of the EU General Data Protection Regulation, t-online.de reports. The agency’s spokeswoman, Dalia Kues, said the organization could be fined tens of millions of euros for the infraction; however, the agency cannot release the name of the company for legal reasons. Kues also confirmed Berlin Data Protection Officer Maja Smoltczyk issued two GDPR fines totaling 200,000 euros against another unnamed organization. The second company has the opportunity to appeal the penalties. (Original article is in German.)
Full Story

Sometimes it seems like all authenticators are compromised. Passwords, identity documents and even knowledge-based authentication — a plethora of these and other authenticators are readily available on the web or the dark web.

The terrible beauty of the California Consumer Privacy Act is that innumerable companies will soon be required to undertake totally novel consumer-facing responsibilities. In the name of empowering consumers, the law is actually introducing threat vectors that can be manipulated by fraudsters. This presents a considerable risk to organizations by enabling a data breach while ostensibly trying to comply with the law and support a consumer’s data access request.             

There is a simple and innocuous-sounding CCPA requirement stating that requests for access and deletion must be “verified.� However, the law does not clarify what qualifies as verified.

So, similar to what we’ve seen for the EU General Data Protection Regulation, companies will be taking on a range of low-tech solutions to satisfy the verification requirement. Current concerns center on responding to requestors invoking their privacy rights — without a serious contemplation of what it is to respond to a right to access or delete to an imposter. Those who have been in this space for a while will recall the 2004 ChoicePoint breach in which the data aggregation company inadequately screened its customers such that identity thieves were able to set up fake businesses as a way to buy personal information.

The terrible beauty of the California Consumer Privacy Act is that innumerable companies will soon be required to undertake totally novel consumer-facing responsibilities.

The GDPR contains a similar requirement and so presents a learning opportunity for those seeking compliance with the CCPA. Researchers James Pavur and Casey Knerr recently found just how easy it is to take advantage of the European right to a data subject access request. They conducted an exploratory social engineering experiment (“GDPArrrrr: Using Privacy Laws to Steal Identities“), finding that some companies acted upon receipt of the most basic, easily forged or obtainable documents — even a postmarked envelope or heavily redacted photocopy of a bank statement.

The current compliance responses are manual, naive and easily manipulable. Pavur and Knerr believe the fact that online identity verification is fraught with fraud.

As privacy pros, we know that mounds of personal information, including document images themselves, have been compromised by hackers and are available in dark web marketplaces. This is exactly why regulated industries, such as financial services, spend billions on robust identity verification tools and services. Where identity theft has traditionally been monetized into fraudulent accounts, target companies have heightened awareness of how identity data can be manipulated. They have invested in anti-fraud, know-your-customer and anti-money-laundering compliance programs, so why would an e-commerce or retail outfit naively think that they can sufficiently identify CCPA requestors? Pavur and Knerr saw this in a sectoral pattern of responses to their experiment, with larger and/or regulated entities being firmer with their identity verification requirements.

Now we hear echoes of ChoicePoint because fulfilling a fraudulent request for access equates to giving a third-party unauthorized access to personal information. A consumer file that is released to the wrong party can be misused for tax, insurance and other financial frauds: spear phishing, stalking and other crimes. It could even be the basis for the CCPA right of private action. 

Fraudulent requests for deletion can affect the value of a company’s data holdings and its analytics operations. As presciently noted by Pavur and Knerr, “We would expect future work which replicates a more sophisticated attacker — either via technical means (such as email account hijacking or spoofing) or via physical means (such as passport forgery) — would likely have substantially higher success rates than this baseline threat model.”

The mandated right to access can be a boon to consumers, but manipulated on a broad scale, it can also be a boon to malfeasance.

Imagine getting consumer files across every retail and services sector out there by flooding companies with massive automated requests for access to personal information. Just like spam, there will be companies that respond if the requests have the veneer of legitimacy. It is a new door for improper data access — not a back door, but an actual, legit front door — for fraudsters to obtain all manner of valuable personal information.

The emphasis now is to bend over backward to help consumers to invoke their new rights, but if this is not done well, consumers will ultimately be hurt by fraudsters tampering with their data using the consumer request mechanism.

Companies need to be vigilant as they set up their consumer response processes. This “verified consumer� part is no small thing. It requires a robust commitment to accurately sourcing your verification data, skill in identifying dubious requests, and some healthy skepticism wouldn’t hurt. The emphasis now is to bend over backward to help consumers to invoke their new rights, but if this is not done well, consumers will ultimately be hurt by fraudsters tampering with their data using the consumer request mechanism.

It’s ironic that this next-gen data breach could arise out of well-meaning efforts to comply with a new privacy law. But that’s the kind of big data world we live in. A gap in expertise of this breadth — fraudsters will find a way to take advantage of this gap. With awareness and commitment, organizations will be able to dedicate resources to address such requests properly. Concurrently, perhaps this will be a topic of guidance from the California attorney general’s office.

Until then, as a sage friend put it, “Why do more work (to acquire PII) when you can just ask?�

Photo by Joseph Barrientos on Unsplash

Fortune reports British Airways had a previously undiscovered vulnerability in its data security that potentially exposed customers’ private information. Cybersecurity firm Wandera found that the airline’s check-in links, which include passenger details, such as last names and confirmation numbers in the URLs, are unencrypted. “We take the security of our customers’ data very seriously. Like other airlines, we are aware of this potential issue and are taking action to ensure our customers remain securely protected,” a British Airways representative said. Also in the U.K., facial-recognition images, fingerprint scans and other personal information belonging to 1 million people were found on an unsecured public database used by police and banks. Meanwhile in the U.S., fast-food chain Sonic got final approval for a $4.3 million settlement related to a 2017 credit breach.
Full Story

The Centre for Information Policy Leadership submitted a white paper to the European Commission as the branch continues its work to update standard contractual clauses for international transfers, according to a post from Hunton Andrews Kurth’s Privacy & Information Security Law Blog. The white paper focuses on the challenges organizations face when they use existing SCCs and how these issues can be overcome by updating them to align with the EU General Data Protection Regulation. The CIPL’s recommendations for updating SCCs include ensuring they are adapted to fit multiparty and multiprocessing situations and that the broad territorial scope of the GDPR should be considered when the SCCs are overhauled.
Full Story

TechCrunch reports Preclusio has developed a “machine learning-fueled solution” to help companies adhere to EU General Data Protection Regulation and California Consumer Privacy Act regulations. Businesses can use the platform on premises or in the cloud depending on their preference. The solution uses read-only access data to “identify sensitive data in an automated fashion using machine learning.” The privacy team reviews the findings and makes adjustments to ensure the company is compliant with the regulations. 
Full Story